Summary: | <app-text/xpdf-4.01.01: stack consumption issue in md5Round1() located in Decrypt.cc | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | D'juan McDonald (domhnall) <flopwiki> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | bircoph |
Priority: | Low | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://forum.xpdfreader.com/viewtopic.php?f=3&t=41263 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=681112 | ||
Whiteboard: | ~3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
D'juan McDonald (domhnall)
2019-03-21 09:30:17 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a41a80fe3a6ef79385c29bb540684f9aa00d42f commit 0a41a80fe3a6ef79385c29bb540684f9aa00d42f Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2019-03-21 10:59:47 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2019-03-21 11:00:32 +0000 app-text/xpdf: remove old and vulnerable version Bug: https://bugs.gentoo.org/681112 Bug: https://bugs.gentoo.org/681140 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> app-text/xpdf/Manifest | 1 - app-text/xpdf/xpdf-4.0.1.ebuild | 116 ---------------------------------------- 2 files changed, 117 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b695c59184713a18e2a7809f40088eff130afb6 commit 6b695c59184713a18e2a7809f40088eff130afb6 Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2019-03-21 10:55:44 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2019-03-21 11:00:31 +0000 app-text/xpdf: security version bump xpdf-4.01.01 fixes several vulnerabilities and problems reported by Loginsoft, including CVE-2019-9589. CVE-2019-9588 and CVE-2019-9587 are probably fixed as well, but it is not clear from ChangeLog: The PDFDoc(BaseStream) initializer wasn't working correctly. Fixed a missing array bounds check in PSOutputDev. [Thanks to Loginsoft for the bug report.] ^-- CVE-2019-9589 If the "U" string used for RC4 decryption is short, Adobe apparently zero-pads it, so Xpdf now does the same. ^-- Maybe CVE-2019-9588 Pdffonts now checks more carefully for loops between objects. ^-- Looks like CVE-2019-9587 Fixed a problem parsing large real numbers. [Thanks to Loginsoft for the bug report.] Bug: https://bugs.gentoo.org/681112 Bug: https://bugs.gentoo.org/681140 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> app-text/xpdf/Manifest | 1 + app-text/xpdf/xpdf-4.01.01.ebuild | 113 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 114 insertions(+) Andrew Savchenko - Thank you for the quick response. ping @security, please add to CVETool. |